为什么 go.sum 文件中包含了这么多旧版本的包?

huangapple go评论95阅读模式
英文:

Why does go.sum include so many older packages

问题

我一直在处理一组项目,涉及更新依赖项,有一件事我没有明确的答案,那就是为什么生成的总和文件中列出了这么多旧版本的每个依赖项。

在我们的项目中,通过一个旧版本的golang.org/x/crypto引入了一些漏洞,我们通过一个replace指令解决了这个问题,将其替换为一个具有安全修复的软件包版本,但这并不感觉很正确,可能会将我们锁定在一个不安全的软件包版本中。

现在,我已经更新了依赖于旧版本golang.org/x/crypto的软件包,并回到了具有替换指令的软件包,并尝试进行更新,但我仍然看到旧版本的软件包被列出。

我想知道这对我们的项目意味着什么,以及我如何找出它们最初被包含的原因?

运行一个简单的go mod why -m golang.org/x/crypto命令显示只有一个依赖于golang.org/x/crypto的项目是我已经更新过的那个。

英文:

I've been going though a set of projects, dealing with updating dependencies and there is one thing I don't have a clear answer to and that is why the generated sum file lists so many older versions of each dependency.

in our project we had some vulnerabilities introduced though an older version of
golang.org/x/crypto
that we resolved though a replace directive to a package release with security fixes but this doesn't feel very correct and could lock us into an insecure version of a package.

now I have gone though and updated the package which depended on an older version of golang.org/x/crypto and looped back to the package with the the replace directive and attempted an update but I still see the older packages listed.

I'm wondering what this means for our project and how I can find why these are included in the first place?

running a simple
go mod why -m golang.org/x/crypto
reveals that the only project dependent on
golang.org/x/crypto
was the one that I had updated.

答案1

得分: 23

@JimB在go sum上提供了一些文档,其中包含以下说明:

go.sum文件可能包含多个模块版本的哈希值。为了执行最小版本选择,go命令可能需要从多个依赖项的go.mod文件中加载。go.sum还可能包含不再需要的模块版本的哈希值(例如升级后)。go mod tidy将添加丢失的哈希值,并从go.sum中删除不必要的哈希值。

而go sum中定义的包的结果集来自于最小版本选择过程,这似乎是一个深入的主题。

一个例子是将"google.golang.org/grpc/metadata"导入到一个模块中,在该模块中运行go mod tidy,得到的sum文件的一小部分如下所示:

github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=

每个版本的引用表示最小版本选择算法图中的一个节点。

将以下内容添加到mod文件中:

replace github.com/golang/protobuf => github.com/golang/protobuf v1.4.3

并运行go mod tidy,protobuf的结果sum条目将更改为:

github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=

因为replace指令表示替换所有版本,所以依赖图中的所有节点都被替换为v1.4.3,这简化为只包含单个版本的依赖项v1.4.3。

至于我在漏洞扫描器中遇到的问题,似乎作者对Golang的依赖项检查方式不太了解,将模块升级到go 1.17,其中间依赖项在mod文件中列出,但sum条目仍然标记项目存在漏洞。

英文:

@JimB offered some documentation on go sum with the following statement

>The go.sum file may contain hashes for multiple versions of a module. The go command may need to load go.mod files from multiple versions of a dependency in order to perform minimal version selection. go.sum may also contain hashes for module versions that aren’t needed anymore (for example, after an upgrade). go mod tidy will add missing hashes and will remove unnecessary hashes from go.sum.

And the resulting set of packages defined in a go sum comes from the minimal version selection process which seems to be a deep topic.

An example would be importing "google.golang.org/grpc/metadata" into a module, running go mod tidy in the module and a small portion of a resulting sum file would be the following:

github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=

each reference to a version indictates a node in the minimal version selection algorithm graph

adding the following to the mod file

replace github.com/golang/protobuf => github.com/golang/protobuf v1.4.3

and running a go mod tidy, the resulting sum entry for protobuf changes to:

github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=

because the replace directive indicates a replacement of all versions so all nodes in the dependency graph are replaced with v1.4.3 which just simplifies to the inclusion of the single version of the dependency v1.4.3

As for the issue I had with the vulnerability scanner, it seems the author of it was unaware of of how dependencies should be checked for Golang and upgrading the module to go 1.17 where indirect dependencies are listed in the mod file didn't stop the sum entries from flagging the project for vulnerabilities.

huangapple
  • 本文由 发表于 2021年11月3日 21:16:25
  • 转载请务必保留本文链接:https://go.coder-hub.com/69825533.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定